华为VPN技术

1. 启动设备

2. 配置IP地址

FW1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.1.254 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 100.1.1.1 24 \[FW1-GigabitEthernet1/0/1\]service-manage ping permit \[FW2\]int g1/0/0 \[FW2-GigabitEthernet1/0/0\]ip add 192.168.2.254 24 \[FW2-GigabitEthernet1/0/0\]int g1/0/1 \[FW2-GigabitEthernet1/0/1\]ip add 200.1.1.2 24 \[FW2-GigabitEthernet1/0/1\]service-manage ping permit \[AR1\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[AR1-GigabitEthernet0/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 200.1.1.1 24 **3.** **配置Tunnel接口** \[FW1\]int Tunnel 0 \[FW1-Tunnel0\]ip add 172.16.1.1 24 \[FW1-Tunnel0\]tunnel-protocol gre \[FW1-Tunnel0\]source 100.1.1.1 \[FW1-Tunnel0\]destination 200.1.1.2 \[FW2\]int Tunnel 0 \[FW2-Tunnel0\]ip add 172.16.1.2 24 \[FW2-Tunnel0\]tunnel-protocol gre \[FW2-Tunnel0\]source 200.1.1.2 \[FW2-Tunnel0\]destination 100.1.1.1 **4.** **将防火墙接口加入指定区域** \[FW1\]firewall zone trust \[FW1-zone-trust\]add int g1/0/0 \[FW1-zone-trust\]q \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add int g1/0/1 \[FW1-zone-untrust\]add int Tunnel 0 \[FW2\]firewall zone trust \[FW2-zone-trust\]add int g1/0/0 \[FW2-zone-trust\]q \[FW2\]firewall zone untrust \[FW2-zone-untrust\]add int g1/0/1 \[FW2-zone-untrust\]add int Tunnel 0 **5.** **配置OSPF** \[FW1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1\]ospf 1 \[AR1-ospf-1\]area 0 \[AR1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 \[FW2\]ospf 1 \[FW2-ospf-1\]area 0 \[FW2-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 **6.** **配置路由条目** \[FW1\]ip route-static 192.168.2.0 24 Tunnel 0 \[FW2\]ip route-static 192.168.1.0 24 Tunnel 0 **7.** **配置防火墙策略** \[FW1\]security-policy \[FW1-policy-security\]rule name local-untrust \[FW1-policy-security-rule-local-untrust\]source-zone local \[FW1-policy-security-rule-local-untrust\]destination-zone untrust \[FW1-policy-security-rule-local-untrust\]source-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]destination-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]action permit \[FW1-policy-security-rule-local-untrust\]q \[FW1-policy-security\]rule name untrust-local \[FW1-policy-security-rule-untrust-local\]source-zone untrust \[FW1-policy-security-rule-untrust-local\]destination-zone local \[FW1-policy-security-rule-untrust-local\]source-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]destination-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]action permit \[FW1-policy-security-rule-untrust-local\]q \[FW1-policy-security\]rule name trust-untrust \[FW1-policy-security-rule-trust-untrust\]source-zone trust \[FW1-policy-security-rule-trust-untrust\]destination-zone untrust \[FW1-policy-security-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-security-rule-trust-untrust\]action permit \[FW1-policy-security-rule-trust-untrust\]q \[FW1-policy-security\]rule name untrust-trust \[FW1-policy-security-rule-untrust-trust\]source-zone untrust \[FW1-policy-security-rule-untrust-trust\]destination-zone trust \[FW1-policy-security-rule-untrust-trust\]action permit \[FW2\]security-policy \[FW2-policy-security\]rule name untrust-local \[FW2-policy-security-rule-untrust-local\]source-zone untrust \[FW2-policy-security-rule-untrust-local\]destination-zone local \[FW2-policy-security-rule-untrust-local\]action permit \[FW2-policy-security-rule-untrust-local\]q \[FW2-policy-security\]rule name local-untrust \[FW2-policy-security-rule-local-untrust\]source-zone local \[FW2-policy-security-rule-local-untrust\]destination-zone untrust \[FW2-policy-security-rule-local-untrust\]action permit \[FW2-policy-security-rule-local-untrust\]q \[FW2-policy-security\]rule name trust-untrust \[FW2-policy-security-rule-trust-untrust\]source-zone trust \[FW2-policy-security-rule-trust-untrust\]destination-zone untrust \[FW2-policy-security-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-security-rule-trust-untrust\]action permit \[FW2-policy-security-rule-trust-untrust\]q \[FW2-policy-security\]rule name untrust-trust \[FW2-policy-security-rule-untrust-trust\]source-zone untrust \[FW2-policy-security-rule-untrust-trust\]destination-zone trust \[FW2-policy-security-rule-untrust-trust\]source-address 192.168.1.0 0.0.0.255 \[FW2-policy-security-rule-untrust-trust\]action permit **8.** **配置NAT策略** \[FW1\]nat-policy \[FW1-policy-nat\]rule name trust-untrust \[FW1-policy-nat-rule-trust-untrust\]source-zone trust \[FW1-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW1-policy-nat-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-nat-rule-trust-untrust\]action source-nat easy-ip \[FW2\]nat-policy \[FW2-policy-nat\]rule name trust-untrust \[FW2-policy-nat-rule-trust-untrust\]source-zone trust \[FW2-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW2-policy-nat-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-nat-rule-trust-untrust\]action source-nat easy-ip **验证:** **1.pc2ping** **通pc1** ![](https://i-blog.csdnimg.cn/direct/a732c73bc621449690661d69fffe9810.png) **2.** **查看FW2防火墙会话表(看GRE协议的数据包走向)** ![](https://i-blog.csdnimg.cn/direct/cfd17827e61a47968bcf9fdb0043c93a.png) **3.** **查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)** ![](https://i-blog.csdnimg.cn/direct/98bd075ad39c4a01834d152e183ac23a.png) **4.** **抓FW2G1/0/1端口的包查看(GRE的端口是47)** ![](https://i-blog.csdnimg.cn/direct/324da126ab134f369df65e5ecfb4c322.png)

相关推荐
iconball6 小时前
个人用云计算学习笔记 --18(NFS 服务器、iSCSI 服务器)
linux·运维·笔记·学习·云计算
bst@微胖子6 小时前
鸿蒙实现滴滴出行项目之侧边抽屉栏以及权限以及搜索定位功能
android·华为·harmonyos
国科安芯6 小时前
ASP4644芯片低功耗设计思路解析
网络·单片机·嵌入式硬件·安全
广药门徒6 小时前
Linux驱动开发与BuildRoot是什么关系与其的应用场景
linux·运维·驱动开发
艾菜籽6 小时前
网络原理-HTTPS
网络·网络协议·https
努力学习的小廉6 小时前
深入了解linux网络—— TCP网络通信(下)
linux·网络·tcp/ip
Bruce_Liuxiaowei9 小时前
MQTT协议在物联网环境中的安全风险与防范指南
运维·网络·物联网·安全·网络安全
Paul_09209 小时前
golang面经——内存相关模块
服务器·网络·golang
yenggd9 小时前
vxlan-bgp-evnp分布式网关配置案例
网络·分布式·华为
CiLerLinux13 小时前
第四十九章 ESP32S3 WiFi 路由实验
网络·人工智能·单片机·嵌入式硬件